LibTLS+LibWeb: Decouple EC parameters from TLS::SupportedGroup

This is in preparation of the next commits to split the changes.
Author: https://github.com/devgianlu Commit: fcdcba51f5 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/2563 Reviewed-by: https://github.com/alimpfard ✅
2025-06-09 17:44:56 +09:00 · 2024-11-24 21:39:56 +01:00 · 2024-11-24 21:39:56 +01:00 · fcdcba51f5 · 2024-11-25 13:12:18 +00:00
commit fcdcba51f5
parent 32a90a7fd1
6 changed files with 36 additions and 21 deletions
--- a/Libraries/LibTLS/Certificate.cpp
+++ b/Libraries/LibTLS/Certificate.cpp
@ -76,16 +76,6 @@ namespace TLS {
        }                                                                               \
    } while (0)
 static ErrorOr<SupportedGroup> oid_to_curve(Vector<int> curve)
 {
    if (curve == curve_ansip384r1)
        return SupportedGroup::SECP384R1;
    else if (curve == curve_prime256)
        return SupportedGroup::SECP256R1;
    return Error::from_string_literal("Unknown curve oid");
 }
 static ErrorOr<Crypto::UnsignedBigInteger> parse_certificate_version(Crypto::ASN1::Decoder& decoder, Vector<StringView> current_scope)
 {
    // Version ::= INTEGER {v1(0), v2(1), v3(2)}
@ -111,7 +101,7 @@ static ErrorOr<Crypto::UnsignedBigInteger> parse_serial_number(Crypto::ASN1::Dec
    return serial;
 }
-static ErrorOr<SupportedGroup> parse_ec_parameters(Crypto::ASN1::Decoder& decoder, Vector<StringView> current_scope)
+static ErrorOr<Vector<int>> parse_ec_parameters(Crypto::ASN1::Decoder& decoder, Vector<StringView> current_scope)
 {
    // ECParameters ::= CHOICE {
    //     namedCurve      OBJECT IDENTIFIER
@ -136,7 +126,7 @@ static ErrorOr<SupportedGroup> parse_ec_parameters(Crypto::ASN1::Decoder& decode
        ERROR_WITH_SCOPE(TRY(String::formatted("Unknown named curve {}", named_curve)));
    }
-    return oid_to_curve(named_curve);
+    return named_curve;
 }
 static ErrorOr<AlgorithmIdentifier> parse_algorithm_identifier(Crypto::ASN1::Decoder& decoder, Vector<StringView> current_scope)
--- a/Libraries/LibTLS/Certificate.h
+++ b/Libraries/LibTLS/Certificate.h
@ -188,7 +188,7 @@ struct AlgorithmIdentifier {
    }
    Vector<int, 9> identifier;
-    SupportedGroup ec_parameters {};
+    Optional<Vector<int>> ec_parameters;
 };
 struct BasicConstraints {
--- a/Libraries/LibTLS/HandshakeServer.cpp
+++ b/Libraries/LibTLS/HandshakeServer.cpp
@ -488,7 +488,13 @@ ssize_t TLSv12::verify_ecdsa_server_key_exchange(ReadonlyBytes server_key_info_b
    ErrorOr<bool> res = AK::Error::from_errno(ENOTSUP);
    auto& public_key = m_context.certificates.first().public_key;
-    switch (public_key.algorithm.ec_parameters) {
+    auto ec_curve = oid_to_curve(public_key.algorithm.ec_parameters.value_or({}));
    if (ec_curve.is_error()) {
        dbgln("verify_ecdsa_server_key_exchange failed: Unknown curve for ECDSA signature verification");
        return (i8)Error::NotUnderstood;
    }
    switch (ec_curve.release_value()) {
    case SupportedGroup::SECP256R1: {
        Crypto::Hash::Manager manager(hash_kind);
        manager.update(message);
@ -508,7 +514,7 @@ ssize_t TLSv12::verify_ecdsa_server_key_exchange(ReadonlyBytes server_key_info_b
        break;
    }
    default: {
-        dbgln("verify_ecdsa_server_key_exchange failed: Server certificate public key algorithm is not supported: {}", to_underlying(public_key.algorithm.ec_parameters));
+        dbgln("verify_ecdsa_server_key_exchange failed: Server certificate public key algorithm is not supported: {}", to_underlying(ec_curve.release_value()));
        break;
    }
    }
--- a/Libraries/LibTLS/TLSv12.cpp
+++ b/Libraries/LibTLS/TLSv12.cpp
@ -364,7 +364,13 @@ bool Context::verify_certificate_pair(Certificate const& subject, Certificate co
    }
    // ECDSA hash verification: hash, then check signature against the specific curve
-    switch (issuer.public_key.algorithm.ec_parameters) {
+    auto ec_curve = oid_to_curve(issuer.public_key.algorithm.ec_parameters.value_or({}));
    if (ec_curve.is_error()) {
        dbgln("verify_certificate_pair: Unknown curve for ECDSA signature verification");
        return false;
    }
    switch (ec_curve.release_value()) {
    case SupportedGroup::SECP256R1: {
        Crypto::Hash::Manager hasher(kind);
        hasher.update(subject.tbs_asn1.bytes());
@ -401,7 +407,7 @@ bool Context::verify_certificate_pair(Certificate const& subject, Certificate co
        return result;
    }
    default:
-        dbgln("verify_certificate_pair: Don't know how to verify signature for curve {}", to_underlying(issuer.public_key.algorithm.ec_parameters));
+        dbgln("verify_certificate_pair: Don't know how to verify signature for curve {}", to_underlying(ec_curve.release_value()));
        return false;
    }
 }
@ -588,4 +594,15 @@ ErrorOr<Vector<Certificate>> DefaultRootCACertificates::parse_pem_root_certifica
    return certificates;
 }
 ErrorOr<SupportedGroup> oid_to_curve(Vector<int> curve)
 {
    if (curve == curve_ansip384r1)
        return SupportedGroup::SECP384R1;
    if (curve == curve_prime256)
        return SupportedGroup::SECP256R1;
    return AK::Error::from_string_literal("Unknown curve oid");
 }
 }
--- a/Libraries/LibTLS/TLSv12.h
+++ b/Libraries/LibTLS/TLSv12.h
@ -139,6 +139,8 @@ constexpr CipherAlgorithm get_cipher_algorithm(CipherSuite suite)
    }
 }
 ErrorOr<SupportedGroup> oid_to_curve(Vector<int> curve);
 struct Options {
    static Vector<CipherSuite> default_usable_cipher_suites()
    {
--- a/Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp
+++ b/Libraries/LibWeb/Crypto/CryptoAlgorithms.cpp
@ -2724,7 +2724,7 @@ WebIDL::ExceptionOr<GC::Ref<CryptoKey>> ED25519::import_key(
            return WebIDL::DataError::create(m_realm, "Invalid algorithm identifier"_string);
        // 5. If the parameters field of the algorithm AlgorithmIdentifier field of spki is present, then throw a DataError.
-        if (static_cast<u16>(spki.algorithm.ec_parameters) != 0)
+        if (spki.algorithm.ec_parameters.has_value())
            return WebIDL::DataError::create(m_realm, "Invalid algorithm parameters"_string);
        // 6. Let publicKey be the Ed25519 public key identified by the subjectPublicKey field of spki.
@ -2767,7 +2767,7 @@ WebIDL::ExceptionOr<GC::Ref<CryptoKey>> ED25519::import_key(
        // 5. If the parameters field of the privateKeyAlgorithm PrivateKeyAlgorithmIdentifier field of privateKeyInfo is present,
        //    then throw a DataError.
-        if (static_cast<u16>(private_key_info.algorithm.ec_parameters) != 0)
+        if (private_key_info.algorithm.ec_parameters.has_value())
            return WebIDL::DataError::create(m_realm, "Invalid algorithm parameters"_string);
        // 6. Let curvePrivateKey be the result of performing the parse an ASN.1 structure algorithm,
@ -3417,7 +3417,7 @@ WebIDL::ExceptionOr<GC::Ref<CryptoKey>> X25519::import_key([[maybe_unused]] Web:
            return WebIDL::DataError::create(m_realm, "Invalid algorithm"_string);
        // 5. If the parameters field of the algorithm AlgorithmIdentifier field of spki is present, then throw a DataError.
-        if (static_cast<u16>(spki.algorithm.ec_parameters) != 0)
+        if (spki.algorithm.ec_parameters.has_value())
            return WebIDL::DataError::create(m_realm, "Invalid algorithm parameters"_string);
        // 6. Let publicKey be the X25519 public key identified by the subjectPublicKey field of spki.
@ -3458,7 +3458,7 @@ WebIDL::ExceptionOr<GC::Ref<CryptoKey>> X25519::import_key([[maybe_unused]] Web:
            return WebIDL::DataError::create(m_realm, "Invalid algorithm"_string);
        // 5. If the parameters field of the privateKeyAlgorithm PrivateKeyAlgorithmIdentifier field of privateKeyInfo is present, then throw a DataError.
-        if (static_cast<u16>(private_key_info.algorithm.ec_parameters) != 0)
+        if (private_key_info.algorithm.ec_parameters.has_value())
            return WebIDL::DataError::create(m_realm, "Invalid algorithm parameters"_string);
        // 6. Let curvePrivateKey be the result of performing the parse an ASN.1 structure algorithm,